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SSH. Telnet is done in plain text. Anything you send over it, of course, people can sniff.
Setting up SSH, it's installed in 10.0.4. Prior to that, you have to get a build, and
the URL for that is on the resource paper in the other room.
Keeping it secure, like with any operating system, it offers the ability to have log
files, and it uses the BSD log file system. Everything is stored in the logs directory
under var. If you keep an eye out for that, you will
see when people try to connect to your computer, you'll see any error.
Any access that goes on, if you have somebody on your box that you don't trust, you could
see if they're trying to hack into your account from there.
As far as security auditing tools for OSX, right now there aren't that many out there.
People are porting the security software for it, but the vendors that are out there right
now are facing different things because you're dealing with Unix and you're dealing with
the Mac platform, so you can't truly port it over.
You can't really port it over without losing the functionality of one part of the operating
system. This software here, Virus Barrier, Net Barrier,
that will be available quarter three. About viruses for OSX, currently there are
not any, but there are virus scanners for it.
There is...
the Virex command line scanner. They also have the OSX GUI version of it, but right
now you're not going to run into anything like that.
In the news, it's been the Simpsons virus, which was actually an Apple script that does
almost the same ability that the Melissa virus did, emailing the addresses. So at least,
people have taken concern with it and they're comparing it against other operating systems
now rather than just, you know, it's Mac OS, there's no hacks out for it, it's secure.
Guest up here, his name is Agent OJ. He's from the Macintosh underground programming
group called Team 2600. He's here, he'll be talking a little bit about Team 2600's
new program.
And...
a little bit about the programming group and where to find them on the web.
First off, I'd like to thank Freaky for giving me the time to speak here.
A little bit of history about Team 2600. Team 2600 was founded in 1994 by CyberTosh
and his friend 6Time. Back then, they were still in high school, constantly arguing with
their sysadmin over the battle between Windows and Macintosh.
They were part of a
2600 news group online, and one day the topic came up about some Windows hacks, and they
decided to put those to use on their school system and ended up hacking about 50 boxes
there.
And to show their admin up for his battling with them, they wrote, you've been hacked
by Team 2600, get secure, get a Mac on the setup screen of every computer.
After that, they decided that, hey, maybe they should start an actual Mac-only underground
team.
And that progressed from there.
That was about 1996 that that started.
And their member base is slowly growing.
Now we're at about 10 active members, and we are the largest underground Mac-only group
that's active right now.
We have about 10,000 web visitors a month to our site, which is www.team2600.com.
We have a wide range of software, ranging from PortMaster, which is a port utility.
We have some port scanners.
There's proxy bouncer.
It's a utility to stack proxies on it, and it enables proxy support and SOC support for
any program that doesn't already have it.
We also, what I've personally worked on is the Sub7 project for Macintosh.
I ported it over to the client a few months ago, and the announcement today is that the
server is almost finished for the Macintosh.
Right now it's about 80% finished, and there is a preview copy available for anyone who's
interested.
That should be finishing up within the next couple months.
Right now I just have a couple things to demo on the screen that we finally got up.
First off, I'll show our latest program, which is the Sub7 client port.
And basically it's the normal Sub7 client, but just on Macintosh.
It has all of the features, getting PC info, getting home info, getting passwords, everything
that you'd want the key loggers up, and that will be ported generally to the Macintosh.
Overall, we basically want to keep producing some quality programs.
We're recently working on making more utilities for OS X.
There's Yaba, which is a vulnerability scanner for OS X only, and other Unix systems that
also runs on those.
That's one of our newest programs.
So we're always looking for new members or interested programmers, so check out our website
and let us know if you'd be interested.
Thank you.
Once again, I'd like to thank Freaky for giving me the time to speak here at DEF CON.
Thank you.
Thank you.
All right, back to OS X.
Single user mode.
Command S during startup, that'll drop you into root mode, where you can change the root
password.
The command for that is slash S bin slash mount minus W U.
Slash, that mounts the hard drive and read mode.
Then you have to start up the system starter, slash S bin slash system starter.
That starts the net info service that gives you the ability to change the root password.
By typing root password without having to verify the original password, you can change
the password on that, and then log out, log back in.
You have root access.
There's been a lot of people saying that that really isn't a vulnerability, that single
user mode has existed in Unix operating systems as a way for them to get back in just in case
they break things.
Mac OS people, they're bound to forget their passwords.
A lot of them are.
Get people asking me all the time, how do I get back into this?
I forgot this password.
So a way to protect that.
There's a program out.
It's on msec.net made by a guy named Marooca.
It's a patch that patches to system that disables single user mode.
Now by doing this, you're not going to be able to get back in.
So if you forget your password, you're going to be screwed to some extent.
Another way to disable it would be Apple's new ability, which is open firmware password
protection.
offers you a way into the back end of the operating system
where it figures out how things are running.
And you can enable the open firmware password protection.
It's basically the same as BIOS password for PC.
So when you try to get past it, it'll ask you for that password.
To enable that command, you boot into it.
And by doing Command-Option-PR,
no, that'll zap the PRAM.
OF, Command-Option-OF, thank you.
That'll let you into the mode.
From there, you could type in,
let me get my notes up here.
But by setting this, you're not going to be able to get back in it any other way.
It's not supported.
It's not supported by Apple, really.
They don't have any documents on setting the password.
So once that's set, you could be screwed if you forget your password.
To enable that, it is...
So you type password.
It will take you into there, password prompt.
From there, you do setenv.
One word, security, hyphen, mode, space, full.
Or you could do setenv, security, hyphen, mode,
and then whatever command you want.
To disable it, you log in to the same method,
if you remember your password,
and you do setenv, security, hyphen, mode,
and then you change it back to none.
Zapping the PRAM by doing Command-Option-PR
will not let you back in from it.
You can boot from the CD by using the SCSI ID
if you have a SCSI CD-ROM drive.
That command is on my website.
Right now, we're going to talk a little bit about...
Last year, we talked about MacPork,
which was the security analyst tool
made by DarkSider of Team 2600.
It was a hit, but he didn't have the time to continue it,
so we're going to talk a little bit more about it.
So another group took on the project.
It is called MacAnalyst now.
It is a shareware application.
It'll let you run it for 10 minutes.
It will scan any operating system you have.
Their database is updated daily with new vulnerabilities.
So from your Macintosh, you could do security auditing.
You can see if your friends,
ISPs, computers are secure.
Some great things about the program, though,
it gets kind of advanced within it.
There are so many different options for it.
We don't have a net connection here, though.
From the menu...
You see you have the standard TCP commands,
just who is.
And then you go down here to the security browser.
You type in the...
The URL.
This is mostly for the CGI scripts that may rely on the system.
If you do the standard scan,
it'll tell you what you have running on it.
And then you use this program right here to verify it.
It'll execute the command for you.
So you could actually see if it's just a port open
that you have used for something else
or if it's actually vulnerable.
From this list right here, you could see that there's quite a lot
of different things
that it checks for.
The program is 50 bucks.
There's many different things built in it.
There's brute force, which will test the account
with a password file...
With the password file and see if it could gain access.
This tool could be used by anybody.
They market it for the security administration side.
But if, let's say, a hacker got a hold of this, I mean,
this could be their dream.
This could be their dream tool for the Mac OS.
It has ICMP logger.
You could see if people are pinging you if you're one
of those people who are on IRC and get attacked all the time.
Supports plug-ins.
It's updated all the time.
It's done by a group of French people.
So some of the spelling on here is incorrect,
but they fix it right away.
Okay. I have demo mode.
So up here we have software.
How many of you run Macs?
Jesus. I remember last year there was
about 10 people running Macs.
How many of you are running OSX?
Jesus. All right.
Well, the software I have up here isn't OSX.
It's for classic OS9.
First one is Virus Barrier.
Now, if I throw this out and I hit somebody,
are you going to be pissed?
All right.
Throw it out, man.
This one right here, it was opened by customs
when it was sent from France.
Everything's in it.
Thank you.
Always entertaining.
We'll get to more in a minute.
But the open firmware password protection
is a great advancement in Apple's operating system
because they have not had anything like that in the past.
All the security passwords for it,
you've been able to bypass it by doing shift during startup.
By bringing up the extension manager,
by holding space bar,
disabling anything that you want to from there,
or even by booting up off of a startup disk or CD.
Open firmware password protection,
when it's set, you won't be able to do all that,
and you'll keep your computer more secure.
It's excellent for environments where you have people
rebooting your systems,
trying to hack it all the time,
school environments,
because I remember when I went to school,
the whole Mac classroom was full of people
trying to get past the security programs they had on it.
First, it was at ease, which was very simple.
This guy right here was in one of my classes,
and we sat there just, like, hacking the network.
It was pretty damn fun.
All right, so you can play with Mac analysts,
keep people in it.
I'm entertained by that.
Another group, O'Reilly,
offered some stuff on Mac-related stuff.
I got a T-shirt here for COCA,
programming language stuff that they got.
They have a book out on it.
They want you to buy it.
So I got a T-shirt here.
I'm going to throw it out that way.
Won't get far.
Told you.
Porting security-related applications to OSX
as far as from the Unix platform
is going to be a lot simpler.
It's going to take some people
with Unix experience to understand it.
A lot of people are used to the real basic programming language.
Rather than C or Perl or anything else
that's now supported by OSX.
So anybody who's into that,
wanting to port some apps for it,
it would be great to put on freaky.staticusers.net,
my one-time plug of the day.
There hasn't been that many new
Macintosh security-related applications
or hacking apps out for the past year.
Team 2600 has been one
of the major players in that.
They've done a great job.
Anything that you want done, you go to PacketStorm,
you see a program there that you want ported to the Mac OS,
you email this guy right here,
and he'll have it taken care of.
Sorry to put you in that situation.
Programs for Mac OS Classic, new in the year.
First one was done by Weedo.
He's been a Macintosh programmer
with the assistance of DerangedCow.
That program is called MacSmurf.
It lets you have the ability to send ICMP packets,
basically an attacking program,
Smurf attack, in fact, from the Mac OS.
For years, it hasn't been possible.
Nobody's actually done it.
Any application that's been out there
hasn't been able to create the ICMP packets,
unfortunately.
So you can't really charge it.
MacSmurf, it lets you do all of the above with it.
Use the broadcast address, everything.
You're set with that program.
What other OS 9 stuff we got on there?
Jesus.
No, I don't want that one.
Etherpeg was a program demonstrated.
It was actually created at the Mac Hack Conference.
This program,
I doubt it's configured for this computer,
but the source code is included.
You configure it for your Ethernet card.
It'll sit and listen to the packets on the network.
As any images go by, JPEGs, GIFs,
it'll actually bring it up on your screen,
and you'll see what they're doing.
So whether they're looking at the nice sites
or the dirty sites, you got them red-handed.
So great tool for administrations
or just...
people who want free porn.
For OS X, enabling more security options on it,
you have the ability to use GPG,
which is the equivalent open source of PGP.
It's GPG mail that has been ported to Mac OS X.
There is an install client for it.
So you could use your PGP,
your PGP ability under Mac OS X without paying the fees
that network associates charges for it.
Security scanning, Java was one of them that he mentioned.
The other one is Snort, is the program Snort.
How many of you are familiar with it?
Are you guys just screwing with me?
Anyway, that has been ported to Mac OS X.
It's a security intrusion-type tool.
So slowly and surely, we will see Mac OS X security
applications available.
As far as that, there really isn't
that much security stuff for OS X.
You have a little bit of security stuff for OS X.
You have scripts coming up that will make the box crash like that.
C scripts, those are on freaky.staticusers.net,
second time.
Does anybody have any questions?
Please say no.
Is there a particular reason why IPFW is not installed anywhere?
IPFW?
Is it not installed?
Is it installed on your machine?
Try and locate.
10.0.4?
It is there because that's, whether or not it's under a different name
or where it's located, I don't know that right now.
Probably under Sbin or something like that.
But programs like the GUI applications for it
use that.
It interacts with that program to configure it.
So it is on there.
So we could find that for you.
OK, another t-shirt?
All right.
This is the same one.
All right.
Let's see what I can do.
That's like the second out that way.
I think it's under Sbin.
Yes.
It's under Sbin.
IPFW is under Sbin.
Wait a second.
Maybe your computer, somebody took it off
because they didn't want you to set up a firewall.
Yeah.
Try booting it one more time.
Any other questions?
Way in the back.
That's you.
It looks like a lot of .
All of the links are linked to the mixture of old man voice
and viewing style.
I remember seeing the Apache One mobile
where it was a Mason sensitivity problem where
it was looking for a certain thing.
There's got to be a lot more than just running Apache
on voice access.
Has there been any of it like that?
As far as that one goes, that's really the only Apache problem.
That's been noted right now.
It's just simple things like that that end up becoming a problem.
People upgrading from beta version to public version
have noted that some of their directories
are read world writable by everybody on there
just because of some file permissions going on there.
So if you upgrade, make sure that you change, you look over,
all the file permissions, make sure that not everybody
could access it.
Because, well, if you let anybody on your box,
then you're basically a sitting duck.
That's one of the things, case and snort on there
and I've got the rule set for it to get filtered before it
gets the snort .
I'm not sure about the case and snort
where the sensitivity matters.
We would demonstrate it.
Right now, we're having a little bit of a problem mirroring it.
So if anybody, again, knows any information on that or is,
there we go.
All right.
So first application that we're going to demonstrate
is BrickHouse, which does use IPFW to configure
the firewall settings.
There's a nice graphic user interface.
Program first rolled out.
It was free.
Now there's like a $10 shareware on it.
Simple programs.
If you don't want to pay the shareware fee,
there's other alternatives out there for it.
All right.
So let me have a seat here.
This is, what do you do?
It's hard to say.
I don't know.
I don't have a background.
Okay.
Another box.
This one's NetBarrier.
This is your basically firewall.
It has a lot of other stuff in it.
For instance, it could lock your modem, so it requires a password.
So if you do have any Trojans or something like that that happens later on, it does lock
your modem, so it won't be able to dial out.
Okay.
GAA.
This is gonna rock.
Yeah.
Next time, I'll, like, surf it out there.
That's all we have?
Yeah.
Just the background they want .
All right.
You get to see the background for OS X.
You don't get to see any of the applications for it.
So we're still working on that.
problems after problems
alright, more questions
as far as all the development
tools like GCC
you can get that off of Apple's website
in their development center
they just took on
I believe it was a free BSD guy
to do a lot of the porting for them
or manage that team
so there will be a lot more applications
quickly being ported for it
GCC
is not installed by default
10.0.4
it is
and it's on the developer
CD, yes
alright, so we have it up on the screen
here
this is BrickHouse
easily, they took out a lot
of the functionality in it
because people were complaining they didn't understand
what it was
when the program first rolled out
it was basically
it gave you
you could edit the log files for it
you could edit the actual settings for it
you still can now
but they have it worked into a nice GUI
basically filters on off
that simple
once you close it
you save it
it's set up
it has ability for airport
how many of you are using airport?
alright, the etherpeg program also does support that
so if you're on an airport network
or you're at an airport that supports the airport
you could be watching people's images as they go by
setting it up is simple
it's self explained
I feel like I'm wasting time here by just looking at it
add gateway, edit gateway
restricted services
this must be demo mode
can you restrict port access?
port access you can restrict
you can
there's the port mapping tools
some of those are available for OSX now
you could restrict whether or not they allow the connections
again, SSH
you could deal with the host allow-deny files
restricting or denying permission for specific services
you have all of the UNIX functionality with a nice macOS interface
you can monitor everything that's going on with this
it's just like looking at the log file except it brings up the log file for you
in a nice pretty way
with a pretty background
another thing that I have worked on over the past year
was revising a chapter for this book Maximum Security
I did the MacIntosh security chapter
has a lot of new updates in it
talks a little bit about OSX but not because it was done so long ago
and a lot of the different hacking programs
this book is in general...
good book for anybody
so I'm going to give this away right now
except this time
I'm going to have my lovely assistant right here
bring it to somebody
so basically
you have to swoo her into
giving it
who wants it?
easy enough
I will have more of those books
later on I'll be giving them out
I got a few extra copies of it
setup assistance for it
the program makes it so anybody
could set up the firewall
whether or not you're a pro unix user
or you're just the good old mac user
brickhouse
like I said is only one of them
if you go to securemac.com
you'll see other utilities there
ssh
is now supported
there's ssh
administration utilities
there's ssh
sshd administrator
which allows you to configure
ssh
excuse me
ssh
the axability of it
and everything like that
alright who else had a question?
that guy right there
yes
once you have the open
firmware password set in there
you do need to
enter the password in it
when you enter the open
firmware password mode
or when you enter
no you won't be able to reset
zap the RAM
anything like that
so it is a way to keep you secure
mail server
none
send mail
it's built in but it's turned off by default
many of the services are built in by default
are turned off because they wanted to make it out-of-the-box secure, just like disabling
root, password.
Do you know much about if there would be security issues with SendMail as opposed to other important
things like that?
So far as it stands, there hasn't been any noted security issues with SendMail for Mac
OS X.
I haven't compared anything to prior SendMail exploits or vulnerabilities like that.
So, we're standing clear until somebody goes out and hacks it again or finds a bug in it.
SendMail is going to be there.
This is the command file for it, the filter.
This is the file that you could actually go into and set your own options in there.
What you're going to allow, what you're not going to allow.
The packet sizes that you're going to allow, things like that.
Mac Analyst, they have given me the option of giving away 10 serial numbers for it.
At the end, I'll collect your emails of that.
First 10 people up here will get a free copy of it.
Another thing for the Mac.
There hasn't really been any...
Filtering software.
One of the first ones out there, which works pretty well, is Content Barrier.
You got kids, you got school, whatever.
This program will keep log of everything going on.
If somebody...
You could set up your own filters in there.
So, if somebody says, how old are you, what's your age, what's your name, things like that.
If you're a parent, you could have it send it to your cell phone.
You could have it send you an email.
So, you can know when anything's going on like that.
This program's going out right now.
I was never that good at Frisbee.
Which side haven't I hit?
That side.
Oh, shit!
Jeff is never going to let me back here again.
Okay.
Nobody saw that.
And...
Is anybody going to say anything?
No!
Because if somebody is, I mean, I could bribe them with this Apple script book right here.
This time, somebody could come up for it.
All right.
Fine.
You could have a T-shirt.
Too bad.
Here.
This will get you started.
A book on their Mac OS X stuff.
All right.
I'm going to try to stay away from throwing shit.
Any other questions?
Speaking of locking down services, do you know of any useful work to keep the NetInfo
binder from opening, from binding maybe ports while not crippling OS X?
His question was, is there any way to bind NetInfo to specific ports without crippling
OS X or the services?
To keep it from binding it.
Ah, to keep it from binding it.
Anybody know the answer to that?
I haven't, oh, that guy back there.
How do you know?
Netinfo is gone, the guy tells me.
So, what are they going to use to replace it?
it? Next week, 10.0.5. 10.1. See, we got an inside guy right here. Maybe we can have him
come up here and tell us a little bit about inside OSX security. Come on up. All right,
another question? OSX and IPsec, what is going on with that? I want to look at that guy back
there again. I am told several private companies are developing solutions for it, so watch
out for it.
Yeah, it's not that hard. They just have to go and do it, bringing in the free BSD
guy or the BSD guy. George? Ah, that guy. Yeah, he's going to make it a lot easier for
the macOS people to utilize all the functionality of it. All right, I'm going to finish up here,
answer this guy's question.
So I'm wondering about like a trap wire and things like that.
TCP wrappers, OSX does come with TCP wrappers and 10.0.4. Glove.com is so you could wrap
the, it's a Java program, gives you the ability to wrap the FTP protocol. All right, everybody's
leaving? Thank you.
Thank you very much.
